The Security Development Lifecycle - Paper Example

A policy lifecycle refers to a guide that Wilburs Widget can use when developing a policy to ensure that it is inclusive and meets the policy needs of an organization. Wilbur Widgets can significantly benefit from a policy life cycle that will guide all the activities to ensure that the policy is both inclusive and beneficial to the organization in the long term in resolving its information security challenges. Policy management through the policy life cycle can help an organization to ensure compliance and maintain a good momentum towards achieving a sustainable policy implementation to protect its information from internal and the external threats (Walton, 2002).

Having the right policy and procedure towards implementing a policy gives an organization a framework through which it can achieve policy compliance. A good policy lifecycle creates an alignment between the policy and the organization vision and mission. In this case, the policy lifecycle will ensure Wilbur Widgets data protection approaches in the long term are secure and sustainable. Having policies in an organization is not enough, but there is a need for the organization to manage the new policy through its entire lifecycle to ensure that it meets the organization needs. Poor management of the information safety policy could lead to wastage of the organization resources if the policy does not achieve the established the set needs to have the policy initiatives which could result in a wastage of the organization resources (Howard & Lipner, 2006).

Policy scoping and Initiation

Policy scoping refers to the assessment of the organization policy needs to assess the type of policy that could be ideal for the organization. Policy scoping assesses the organization needs and the proposed policy to ensure that the new policy meets the policy gap of the organization. Policy assessment stage of policy scoping assesses the organization assets and threats to the organization data about the policy. The policy scoping stage is important in a policy lifecycle because it assesses the ability of the organization to have enough resources to implement and develop the policy as well as the scope of the policy to be implemented. Further, the scoping stage of the policy life cycle helps an organization to estimate the resources required for the entire policy lifecycle as well as ascertain any threats towards the policy implementation. Assessing the threats towards the policy implementation ensures that an organization is ready and prepared with the necessary risk and threats mitigation approaches to ensure that the policy is successful and meets the organization policy needs (Coles, 2015).

Policy initiation refers to the assessment of different policies that will meet the organization policy needs and choose the best policy to meet the organization information security needs. Policy initiation involves the establishment of an organization committee who will be in charge of editing and streamlining the new policy to be in line with the organization needs. The organization should establish the necessary resources required for the development of the policy at the policy initiation stage (Walton, 2002).

Policy Development

Policy development refers to the process of consultation to create a policy that will address the organization information security problem. Picking up from the policy initiation stage, the committee established to design the problem assesses the problem that necessitates the creation of the policy. During the policy development stage, it is important for the policy creation committee to assess the success of the creation or modification of the policy. The committee appointed by the organization should be able to coordinate all the policy initiatives. Without the committee, there is a possibility of the policy failing due to the lack of enough attention and knowledge to develop the approach for organization consultation to agree on the best policy. The committee also delegates what needs to be done and also decides at what time it will be done. During the product development stage, it is important for the committee to carry out further research on the established policy to identify its scope and also assess the legal and economic implications of the policy on the organization (Walton, 2002).

During the policy development stage, consultation is very important to try to bring all the organization stakeholders on board to create an inclusive policy. The consultation process involves all the organization stakeholders which ensures that all the employees and the executive are aware of the intended policy. During the consultation process, the committee can draft a policy having considered all the data and security needs of the organization as well as bringing all the stakeholders on board to own the policy (Rees et al., 2003).

Approval and Communication

After the creation of the policy draft, the committee communicates to all the stakeholders within the organization and the organization partners of the new policy that has been adopted. During the communication and approval stage, the committee should create training sessions which can be used to inform the employees of the new policy and how the policy will affect their day to day activities. Failure to communicate the policy well can lead to the collapse of the policy and also poor effectivity in ensuring information security for the organization data (Howard & Lipner, 2006).

Policy Implementation and Monitoring

After the approval and communication of the policy, the committee can implement the policy and monitor the progress to carry out any reevaluation of the policy to ensure that it is inclusive and meets its primary purpose. The implementation and monitoring process assess the possible policy gaps in the process such as availability of resources as well as establishing areas that will require improvement such as employee knowledge of the policy. Monitoring of the policy also ensures that an organization can hold the policy managers accountable for the policy success.

Policy Review

The review is the final stage of the policy life cycle which reviews the success of the policy enforcement by assessing the results of the policy implementation. Policy review assesses the policy results with the primary organization gap that had necessitated the creation of the policy. If the policy meets the policy gap on information security earlier detected it is maintained, but if the organization still experience information security threats, it is kept and managed to achieve the organization information security needs. On the other hand, if the security policy does not meet the organization gap it is replaced or complementing security policies can be created to strengthen the policy to meet the organization information security gap (Howard & Lipner, 2006).

Policy Implementation Plan

The policy implementation plan is the actual execution of the policy to protect the organization information.

Threat Assessment and Goal Setting

The policy implementation plan commences with a risk or asset threat assessment. The threat assessment helps an organization to set goals that are achievable to mitigate the threat using the policy. The goals should have a clear and a shared understanding of the organization information security problem which will bring all the stakeholders of an organization together towards dealing with the organization problem. The setting of the goals process should help an organization to prioritize all the organization policy outcomes which will act as tools for monitoring the policy success and effectivity (Rees et al., 2003).

Planning

Planning is an important factor in the policy implementation process. The planning process help in reviewing and appraising all the options that are available to implement the policy. Planning also helps an organization to decide on how best the established outcomes can be realized and helps identify the activities and roles of every stakeholder towards achieving the information security goal. Planning also identifies how the security outcomes will be achieved and how the organization will be able to measure the policy progress (Walton, 2002).

Actual Policy Implementation

After planning for the policy implementation the actual implementation of the policy which will reflect in the number of information technology employees as well as the new systems which will be integrated into the organization to guard against hackers and other cyber criminals (Rees et al., 2003).

Progress Review

For a successful policy, it is important for the organization to carry out the regular assessment of the policy progress to ensure that the policy is in line with the organization needs. The assessment of the implementation plan helps an organization to assess possible approaches that can be used to improve the policy implementation as technology change and time brings about new threats (Rees et al., 2003).

References

Coles, E. S. (2015). Analyzing and specifying security requirements in early stages of software development lifecycle. Journal of Mobile, Embedded and Distributed Systems, 7(2), 87-94.

Howard, M., & Lipner, S. (2006). The security development lifecycle (Vol. 8). Redmond: Microsoft Press.

Rees, J., Bandyopadhyay, S., & Spafford, E. H. (2003). PFIRES: a policy framework for information security. Communications of the ACM, 46(7), 101-106.

Walton, J. P. (2002, November). Developing an enterprise information security policy. In Proceedings of the 30th annual ACM SIGUCCS conference on User services (pp. 153-156). ACM.